3f5b0fbbf8281387fa50156b1475271964f5d98b3788be1424f778000dc3a263

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12-09-2024 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f5b0fbbf8281387fa50156b1475271964f5d98b3788be1424f778000dc3a263.exe
Size

91KB
MD5

6cf0be1c084f30d940c08a4835462bb0
SHA1

2feeab23cd078f98fac5ba6f8a28efa0b62df49d
SHA256

3f5b0fbbf8281387fa50156b1475271964f5d98b3788be1424f778000dc3a263
SHA512

c9b4f1f1acd823f16bebc3d0c72de0993d6b3eee5b9fc4103b78734fbb9ff23d116edb4955a93fa14befc78b5212f5d54886edc3dc4f99848535dd0f6c4df006
SSDEEP

1536:mmsAYBdTU9fEAIS2PEtu3ZUKT/HlAZ5NsyavLTWVP0n/W73A5xO:1fY/TU9fE9PEtupUKT/lATFYWd0nOUm

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000700000002343d-29.dat	acprotect
behavioral2/memory/4148-31-0x0000000074A60000-0x0000000074A69000-memory.dmp	acprotect

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000002343d-29.dat	upx
behavioral2/memory/4148-31-0x0000000074A60000-0x0000000074A69000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4148 set thread context of 4928	4148	Un_A.exe	95

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	setup.exe

Executes dropped EXE 1 IoCs

pid	Process
4148	Un_A.exe

Loads dropped DLL 5 IoCs

pid	Process
4148	Un_A.exe
4148	Un_A.exe
4148	Un_A.exe
4148	Un_A.exe
4148	Un_A.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3f5b0fbbf8281387fa50156b1475271964f5d98b3788be1424f778000dc3a263.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Un_A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SCHTASKS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133706097764957539"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-945322488-2060912225-3527527000-1000\{536592F0-81B3-4580-937B-A00F8EAF1AD9}	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4148	Un_A.exe
4148	Un_A.exe
1868	chrome.exe
1868	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4780 wrote to memory of 4148	4780	3f5b0fbbf8281387fa50156b1475271964f5d98b3788be1424f778000dc3a263.exe	85
PID 4780 wrote to memory of 4148	4780	3f5b0fbbf8281387fa50156b1475271964f5d98b3788be1424f778000dc3a263.exe	85
PID 4780 wrote to memory of 4148	4780	3f5b0fbbf8281387fa50156b1475271964f5d98b3788be1424f778000dc3a263.exe	85
PID 4148 wrote to memory of 5012	4148	Un_A.exe	93
PID 4148 wrote to memory of 5012	4148	Un_A.exe	93
PID 4148 wrote to memory of 5012	4148	Un_A.exe	93
PID 4148 wrote to memory of 4928	4148	Un_A.exe	95
PID 4148 wrote to memory of 4928	4148	Un_A.exe	95
PID 4148 wrote to memory of 4928	4148	Un_A.exe	95
PID 4148 wrote to memory of 4928	4148	Un_A.exe	95
PID 1868 wrote to memory of 1112	1868	chrome.exe	110
PID 1868 wrote to memory of 1112	1868	chrome.exe	110
PID 1868 wrote to memory of 3520	1868	chrome.exe	111
PID 1868 wrote to memory of 3520	1868	chrome.exe	111
PID 1868 wrote to memory of 3520	1868	chrome.exe	111
PID 1868 wrote to memory of 3520	1868	chrome.exe	111
PID 1868 wrote to memory of 3520	1868	chrome.exe	111
PID 1868 wrote to memory of 3520	1868	chrome.exe	111
PID 1868 wrote to memory of 3520	1868	chrome.exe	111
PID 1868 wrote to memory of 3520	1868	chrome.exe	111
PID 1868 wrote to memory of 3520	1868	chrome.exe	111
PID 1868 wrote to memory of 3520	1868	chrome.exe	111
PID 1868 wrote to memory of 3520	1868	chrome.exe	111
PID 1868 wrote to memory of 3520	1868	chrome.exe	111
PID 1868 wrote to memory of 3520	1868	chrome.exe	111
PID 1868 wrote to memory of 3520	1868	chrome.exe	111
PID 1868 wrote to memory of 3520	1868	chrome.exe	111
PID 1868 wrote to memory of 3520	1868	chrome.exe	111
PID 1868 wrote to memory of 3520	1868	chrome.exe	111
PID 1868 wrote to memory of 3520	1868	chrome.exe	111
PID 1868 wrote to memory of 3520	1868	chrome.exe	111
PID 1868 wrote to memory of 3520	1868	chrome.exe	111
PID 1868 wrote to memory of 3520	1868	chrome.exe	111
PID 1868 wrote to memory of 3520	1868	chrome.exe	111
PID 1868 wrote to memory of 3520	1868	chrome.exe	111
PID 1868 wrote to memory of 3520	1868	chrome.exe	111
PID 1868 wrote to memory of 3520	1868	chrome.exe	111
PID 1868 wrote to memory of 3520	1868	chrome.exe	111
PID 1868 wrote to memory of 3520	1868	chrome.exe	111
PID 1868 wrote to memory of 3520	1868	chrome.exe	111
PID 1868 wrote to memory of 3520	1868	chrome.exe	111
PID 1868 wrote to memory of 3520	1868	chrome.exe	111
PID 1868 wrote to memory of 3476	1868	chrome.exe	112
PID 1868 wrote to memory of 3476	1868	chrome.exe	112
PID 1868 wrote to memory of 1040	1868	chrome.exe	113
PID 1868 wrote to memory of 1040	1868	chrome.exe	113
PID 1868 wrote to memory of 1040	1868	chrome.exe	113
PID 1868 wrote to memory of 1040	1868	chrome.exe	113
PID 1868 wrote to memory of 1040	1868	chrome.exe	113
PID 1868 wrote to memory of 1040	1868	chrome.exe	113
PID 1868 wrote to memory of 1040	1868	chrome.exe	113
PID 1868 wrote to memory of 1040	1868	chrome.exe	113
PID 1868 wrote to memory of 1040	1868	chrome.exe	113
PID 1868 wrote to memory of 1040	1868	chrome.exe	113
PID 1868 wrote to memory of 1040	1868	chrome.exe	113
PID 1868 wrote to memory of 1040	1868	chrome.exe	113
PID 1868 wrote to memory of 1040	1868	chrome.exe	113
PID 1868 wrote to memory of 1040	1868	chrome.exe	113
PID 1868 wrote to memory of 1040	1868	chrome.exe	113
PID 1868 wrote to memory of 1040	1868	chrome.exe	113
PID 1868 wrote to memory of 1040	1868	chrome.exe	113
PID 1868 wrote to memory of 1040	1868	chrome.exe	113
PID 1868 wrote to memory of 1040	1868	chrome.exe	113
PID 1868 wrote to memory of 1040	1868	chrome.exe	113

C:\Users\Admin\AppData\Local\Temp\3f5b0fbbf8281387fa50156b1475271964f5d98b3788be1424f778000dc3a263.exe
"C:\Users\Admin\AppData\Local\Temp\3f5b0fbbf8281387fa50156b1475271964f5d98b3788be1424f778000dc3a263.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4780
- C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Suspicious use of SetThreadContext
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4148
- - C:\Windows\SysWOW64\SCHTASKS.exe
    SCHTASKS /DELETE /TN PCAppStoreUpdater /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5012
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\system32\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffe6f28cc40,0x7ffe6f28cc4c,0x7ffe6f28cc58
  2⤵
  PID:1112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1884,i,4914171109622106092,17964632269799002352,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1880 /prefetch:2
  2⤵
  PID:3520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2164,i,4914171109622106092,17964632269799002352,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  PID:3476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2272,i,4914171109622106092,17964632269799002352,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2496 /prefetch:8
  2⤵
  PID:1040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,4914171109622106092,17964632269799002352,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:3924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3200,i,4914171109622106092,17964632269799002352,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:2268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3716,i,4914171109622106092,17964632269799002352,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4600 /prefetch:1
  2⤵
  PID:2528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4804,i,4914171109622106092,17964632269799002352,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4868 /prefetch:8
  2⤵
  PID:1464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5008,i,4914171109622106092,17964632269799002352,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5012 /prefetch:8
  2⤵
  PID:2872
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Program Files directory
  PID:444
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x7ff62daf4698,0x7ff62daf46a4,0x7ff62daf46b0
    3⤵
    - Drops file in Program Files directory
    PID:2708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4624,i,4914171109622106092,17964632269799002352,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4868 /prefetch:1
  2⤵
  PID:2652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5372,i,4914171109622106092,17964632269799002352,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:1568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5556,i,4914171109622106092,17964632269799002352,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5536 /prefetch:8
  2⤵
  PID:2576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5564,i,4914171109622106092,17964632269799002352,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5580 /prefetch:8
  2⤵
  - Modifies registry class
  PID:5116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3420,i,4914171109622106092,17964632269799002352,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3340 /prefetch:8
  2⤵
  PID:388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3672,i,4914171109622106092,17964632269799002352,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3428 /prefetch:8
  2⤵
  PID:916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5716,i,4914171109622106092,17964632269799002352,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5936 /prefetch:8
  2⤵
  PID:3612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3492,i,4914171109622106092,17964632269799002352,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5700 /prefetch:8
  2⤵
  PID:3840

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4424

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x308 0x2b4
1⤵
PID:780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
c5e561849accfa45d5d0383394d5f56a

SHA1
b14f0c57399a36924d8e18f129d1d4d28b7d25b1

SHA256
d6582ff0e6a2fe34bce79943d804c4fbc33222b878813fc218bf3d026b65f5b0

SHA512
0619155948eab3c08dd62fb4c0b4291a58fde402c0cfea83563bb303cf6ee94c038315c0a198a8ae22bab2e0248f28e1ee41200257a87891f747f5e41282d3f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
212KB

MD5
08ec57068db9971e917b9046f90d0e49

SHA1
28b80d73a861f88735d89e301fa98f2ae502e94b

SHA256
7a68efe41e5d8408eed6e9d91a7b7b965a3062e4e28eeffeefb8cdba6391f4d1

SHA512
b154142173145122bc49ddd7f9530149100f6f3c5fd2f2e7503b13f7b160147b8b876344f6faae5e8616208c51311633df4c578802ac5d34c005bb154e9057cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
c999b1094848d4885a9dc3e3ef4971b4

SHA1
c1f208d64ae1e22a2e2d1c18d14520aad7178022

SHA256
3f971507e34ba6b10b9c2544ff311dde37325a1b844d11dc605cf09e5199b1a3

SHA512
e1576b26c408bdf5eff2dc4d1882995810123ebc1509fb441e7ed7d970a54376872f9d75f5b160543f4a4d60bfe0206c15960980ffc2efc6a1dbf2af7df2ab5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
8842cd821aac8257598d03374498f010

SHA1
091a0cd42c231377c057088c6a8050f115124422

SHA256
6066f2b68482f61565eca89343fc3e6ab64254a3283986e8917567d7adb43c63

SHA512
a9d40a82f081d7e41a3bc480cf5baff92aa61cd94009f1a7e6fa3a2a50dcf0bc8220e3b47552190334c47a46fe80856389728674557518d3e527738617cc806f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
1e68ecf146644e079ad320babaa059a1

SHA1
2414a534295b4a37a56922dd43ca682f209c2437

SHA256
5e4f3515c6548ce7f3de1563af358a9106bf4d96ed7cfa2b57086f25fb83b4af

SHA512
a4ea8b29f03a247861a45a4218662832890a113c657249853198773c7e49dcd0b08293cfaad17494e031cdbedb112219507c8de001cdab249db8a6aa7aa86a7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3239b258634d3fb417e5a6dcb5c64514

SHA1
974427cffe00edb96081d12a416d68c80fd5c2f3

SHA256
10b596515c750bb4521c7a48b133c2ae3e50683bf87fdb7ee8ff6ee6a55f856d

SHA512
44b9c152936a48b554ff11c9ff6c9c59955e7ce61cf310497ee42c6c178fd5e468abd369cb3d6d10db89e7d099889a5d13514f3b4ff0575ab90c3cccbdaf5eae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
19a3ae4a7a30674d65cc8da3819d200c

SHA1
d9b75c7013164bc792c0b6f3d45a1c4008f3422d

SHA256
b6c328ef6634758f3873f5cfcb2ba12b4edfb2a4fd06b41299efa6fa958fb20f

SHA512
1e991f9e898854d9814e48137683c2a7b507e66045f3c252611b16e073798fe5760ad166b6962afd098513d848b8999f85012a0d6192ee1e8c43b83cec7e2afe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
7da6193aa793595cc19bdb25f9234f24

SHA1
9788e23f7f2ad4ced029fff69676f4f87221699c

SHA256
ce15a9725c25141dd753392078283689806933169c2add2094c2c636baf44d28

SHA512
9d0932f2d75bb767b1ea649c97d2b7c9353b5893fd21fa0381c67c2f71dde9195c78a93d47977f7568585b5cab0d3097e1526e7934aa4441425b38ae5112577b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
aad13ada1d34f760e8237845df396078

SHA1
85562e85a59455db85bce00db6cb3a62a7a5a4a3

SHA256
fbf48096de3ff5fbadc301d54429c8cc02fcddc2e69b0afc22f05cd6812ab694

SHA512
5c2d941ce9a0a8eddfd54ec7b76fcee7b7017d7172da333b9e4501ec01720bf575761d817a89e4c1293b36a705effa0741d6a2b89e5564d6ab01f2ff78651e24

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
32952fc296a703f87586e75c95051da9

SHA1
adfbeff5317e600fddf0dc7e74e3cd46563b13d5

SHA256
9c257db7a190ff40b55d0d8aded9559b570467a3b7db91113cbad6f23ad61bcf

SHA512
0d2aa9e9cf0f284a2e6fa95cdffdcce5def7173cfadaf56dfe850181390d89608a63f9b6d773de8a7b8526e6355e223c4bf02c6d6b39dd4f02eeeba4f184a5a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9cca6be7603412a1f6d3fb7c8d847ba1

SHA1
7ed1e4f928c8c68630bc80f4bb636a87b7e3efb8

SHA256
ed359494994bdbb197b68226583f5cca2d6920de8f67134257a649f0c01aaab7

SHA512
60d20ea8e073576b23d2aa992b6b332dad649772e9b18db8da0d0576ac8ac3ffcde59ebfe8f93422da73d953ca5577e5016088765b6a696ccad2031d94caa5f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
87daffdc641c66c1b5b2dc842551fee1

SHA1
cd7fd4409b0a2d223cfc5ceba3248ef54aab7159

SHA256
8f4a4a9fca6fdab8c0d82ed37012bb6294b24cb9473c1ab4f1565b7234709d10

SHA512
8eb50a21e2eb3fe970556ae0eb1d790348b1c59e201ef5321a670738471e93631880f7eab0cae72fab24d89832d912ef5177c084e23be04c203098a60f436df9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
17d32d96b84e6fd375a67b20436d7c9a

SHA1
6d32a94fa601e6f5a17d4fb0ade02276dd8bda83

SHA256
290fda052c7c8d3eaffad5552e5df35155a89eb0b2ce925a24e4a1b43b4dc507

SHA512
9fa87d55e386b0847323e8ba0e8c3c2e2c0b71e0dfa7d278793e9f5ac32afefee2d6c678eee9ebd223cc3cfcc00c9c3d0390f319a6b719a52dd7fbc8e34385c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
44c243c5f863507e50017ce3fed1b83e

SHA1
1e54e8781cac4b0d0554d6d0b7fa664f43fe5d66

SHA256
07002867fdd409b1c2a2e65e3020a4155ad5f2beecdd1a4453c7b269aa20b1cc

SHA512
f3ef69bccc9b6c238ec6ee71c5aefee8568548ee578d085972e1b9117cfa927ec9278b46c136df00db82191b0025516c684a313d9ad9ddf232f4f6aa4c7e78c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bca31e5fa49854346e0c64ff7b6c9b19

SHA1
e0cb111d2c3a92e444d6d311227227e3ea32d5d5

SHA256
2a600d0d815f92152f146eb1692ebe3813aa102e71798a68b8592ac5822f8e89

SHA512
a5f18ad528a81337bf0bb656e78f3192e1fd87a969f6983ac66d5895d0e08af86eb6709bcd71011f7c8d3a6aeef40188bc1c4abb4a3842552a0129a4f064bbfa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1d81b08c694c2d8cfddc377249cd7612

SHA1
9a0bc406ec7aa2aeae00ea08351ea3f06513b40a

SHA256
6b1ef44f57429fcf4e20c0feb84f29a36bfbf3fb8c1ed26b2c56ddb1e8331813

SHA512
06ba4a5938a05b2090169284ced2da0c3478c04bcf8d09054c50c6b0790295be9923efce7506e0417ebcf0742b9da8fbf88aa4a3197f02142533ea820fe8344d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
e034d3c608f842f89e00fb174a3477f8

SHA1
a40ecb09dc00087f7169ebec2074810b7b9968b1

SHA256
436372353c6f0e0cb57b2d84a05fbf40b4fa69d25f372b8971988dd472d31391

SHA512
0feefea227d13953adcf50ea3478a489004b15082bb1d80405adccab8588d611078ff6e24c1f1453aef5b29cc14a0740ba1c80fd5073a2ca1e490bb58c96b752

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
207KB

MD5
fe1e981bdbf3ee428d7ac1dacd904e00

SHA1
c8f58b1a1b5ed59a9bc9bed3a394a4e0bae77abe

SHA256
097fffeefc08d7389d4587bfcd413660bb14804769bbc2727e5ad3e4a6ce8cbf

SHA512
60305575fd7652986fb2c7acbe4d67dd0764413e022b940164b205db0bc38e0599dc8cd6194f585afd101df3be195171bcfbc3d1cea52233656b26cb230c8681

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
207KB

MD5
3ab12f79d61adb99cafe7802a297d4ca

SHA1
bd587265fe9be1f8090c0d3c2fffc67a3667b8f1

SHA256
9dfd13cd3824eea76f5eafff3d28478af4b2b69c3d9c21d37ab2a7860f91130a

SHA512
19fcf392d58f5cbe2a6ba3a7fe1b4af7a893dcfd8a33764de02aaf323d3a70219d3c47bd48f809e364cbd50cafaae6016c535d6e2ab5231092d1fed21ea4c98a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc66CA.tmp\SelfDel.dll

Filesize
5KB

MD5
ca8bcdded6b265453cf68bae8bbd0b3a

SHA1
9dbe872ac53e075c0954c882d034aa009c733092

SHA256
299ba97dda721cc9216bda218769eb269a239c8bcf09bd6acc774ff935849184

SHA512
a9b19434c35236a049036f0153a5c7184c95249fdb04ef7605484551d40a8aba37462eb617e96301cd4363a324f0282e26179ce4b78973ca43e0a63b4dffb33c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc66CA.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc66CA.tmp\inetc.dll

Filesize
38KB

MD5
a35cdc9cf1d17216c0ab8c5282488ead

SHA1
ed8e8091a924343ad8791d85e2733c14839f0d36

SHA256
a793929232afb78b1c5b2f45d82094098bcf01523159fad1032147d8d5f9c4df

SHA512
0f15b00d0bf2aabd194302e599d69962147b4b3ef99e5a5f8d5797a7a56fd75dd9db0a667cfba9c758e6f0dab9ced126a9b43948935fe37fc31d96278a842bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc66CA.tmp\nsExec.dll

Filesize
7KB

MD5
675c4948e1efc929edcabfe67148eddd

SHA1
f5bdd2c4329ed2732ecfe3423c3cc482606eb28e

SHA256
1076ca39c449ed1a968021b76ef31f22a5692dfafeea29460e8d970a63c59906

SHA512
61737021f86f54279d0a4e35db0d0808e9a55d89784a31d597f2e4b65b7bbeec99aa6c79d65258259130eeda2e5b2820f4f1247777a3010f2dc53e30c612a683

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

Filesize
91KB

MD5
6cf0be1c084f30d940c08a4835462bb0

SHA1
2feeab23cd078f98fac5ba6f8a28efa0b62df49d

SHA256
3f5b0fbbf8281387fa50156b1475271964f5d98b3788be1424f778000dc3a263

SHA512
c9b4f1f1acd823f16bebc3d0c72de0993d6b3eee5b9fc4103b78734fbb9ff23d116edb4955a93fa14befc78b5212f5d54886edc3dc4f99848535dd0f6c4df006

Download Submit
memory/4148-31-0x0000000074A60000-0x0000000074A69000-memory.dmp

Filesize
36KB

Download